On Thu, Jul 04, 2024 at 08:35:59AM -0000, Stuart Henderson wrote:
> On 2024-07-03, Anon Loli <anonloli@autistici.org> wrote:
> > How do you verify the CVS repository that you got from the available Anonymous
> > CVS Servers?
> > All that I see in manual pages and FAQ is(summarized):
> > 1. CVS CHECKOUT, CVS CHECKOUT, CVS CHECKOUT
> > 3. compile
> > 4. boom, you now became awesome
> >
> > but what about step 2?
> > Like when you fetch binary images of OpenBSD, you are instructed to use signify(1)
> > in order to verify the integrity/maliciousness of the fetched data.
> > Now how in the bug do you do that for CVS repositories?
>
> Best you can do is checkout from a couple of mirrors (verifying ssh key
> fingerprints against the set on https://www.openbsd.org/anoncvs.html
> to guard against mitm) and compare the checkouts (being aware that they
> may have been updated at different times so might not all have the most
> recent commits).
>
> --
> Please keep replies on the mailing list.
>
That doesn't defent againts the mirror host itself being malicious.. like HELLO
what are we talking about??
What do you mean compare the checkouts? Is there something like a hash sum for
the entire thing?
Regardless of it, it's missing in the documentation, I consider it to be a bug,
and so should you!
Shilling unverified copies from the internet is very suspicious from OpenBSD, I
must admit
No comments:
Post a Comment